The breaches of the SWIFT bank messaging system disclosed in late April have shined a spotlight on the security of all institutional transactions, from securities trading to cash transfers and foreign exchange.
The concern is not so much over any repeat of the breaches at a member of the Society for Worldwide Interbank Financial Telecommunication, a Brussels-based bank cooperative that operates the world's largest bank messaging system. It's more about what the firms that handle financial transactions, such as custodians, are doing to make those transactions secure.
“I've been asked by asset owners, "If the most-sophisticated network in the world is not secure, how can I be sure my assets are?'” said Gregg Sommer, Denver-based partner, head of operational risk assessments, at Mercer Sentinel Group. Cybersecurity for asset transfers “is becoming more and more of a question in our due diligence,” Mr. Sommer said.
Cybersecurity related to asset transfers has always been an issue in custody due diligence, but news of the SWIFT breaches has put it front and center in asset owner RFPs, added Edwina Easton, Chicago-based director-North America at Amaces, a custodial consultant to institutional investors. “Before, messaging might have been, on a scale of one to 10, an eight,” Ms. Easton said. “Now it becomes a 10.”
The SWIFT breaches involved hackers gaining access twice in February via malware, or hostile and invasive software, to the Bangladesh central bank's SWIFT payment terminals, SWIFT said in a news release on its website in late April. The consortium did not specify what was taken, but according to a blog posting on the website of defense and security company BAE Systems PLC, hackers stole $81 million.
SWIFT officials earlier this month announced the organization would require additional sharing of information from members and more guidelines for auditing members' security. The cooperative also said the malware used in the thefts affected the terminals of individual clients and was not a direct assault on SWIFT's messaging system, adding that those terminals' security was the responsibility of the users, not SWIFT.